Attack your Site for Defense

An introduction to identifying website

vulnerabilities with user friendly tools.
OWASP Chapter at UW Bothell
The Gray Hats Team at UW Bothell
www.owasp.org/index.php/UW_Bothell
orgsync.com/81448/chapter (student club)
David L. Morse
linkedin.com/in/davidlmorse

UWB Gray(ish) Hats

Student cyber defense team

Gathering together people interested in
securing stuff by breaking it
No experience needed; new members always
welcome!
To learn more, contact Brendan Sweeney:
bps7@uw.edu

http://www.nationalccdc.org/

The Problem

Websites are continuously, actively attacked via

automated tools, botnets, and monsters !!!
Rapid changes in tech + increasing complexity
= devs struggle to stay current
Given time, attackers will Always Win

http://www.pcworld.com/article/2045282/microsoft-almost-90-percent-of-citadelbotnets-in-the-world-disrupted-in-june.html

http://galleryhip.com/computer-hacker-icon.html

Damn Kids !!!

Modern tools make vuln discov and pen easy

Burp Suite, Metasploit, Armitage, Grabber, Vega,
Wapiti, etc, etc...
Suites of tools make "hail Mary" attacks possible
(although noisy) by un-trained

can damage network devices (even if don't pen)

can cause DOS

have low cost to attacker

likely kids successful against weak / non-current sys

(eg. if your web-app is vulnerable or admin lazy)

Example: Most recent Metasploit modules

http://www.rapid7.com/db/modules/

The Goal

Developers need help, let's share best practice

User friendly tools exist !!!

Let's have fun, learn defensive coding and

secure the WEB :-)

Today's Tool (no, it's not dave...)

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

OWASP == Sexy++
The OWASP Testing Guide
includes a "best practice" ...
techniques for testing most
common web application and
web service security issues.

owasp.org/index.php/Cheat_Sheets

Setup a testing environment

install vmware player (or virtual box, etc.)

(for this demo, example platform host Linux Mint)

download the latest tar.gz of the bundle from:

https://my.vmware.com/web/vmware/free#desktop_e
nd_user_computing/vmware_player/7_0

Install via:
gksudo bash ~/Downloads/VMware-Player-7.1.02496824.x86_64.bundle

Note - we will isolate!!! the setup

to protect the innocent

Simple Virt Environ

Install the Attacker Guest

install a kali vm (could use ISO, we use VM-image)

kali is based on Debian Linux

defaults to "root" user, use caution !!!!

download the latest vm image from:

https://www.offensive-security.com/kali-linux-vmwarearm-image-download/

Make some changes:

add user + sudo

change root pass

do updates (apt-get update & upgrade)

Kali Settings

About the Victim

Metasploitable 2 Exploitability Guide

https://community.rapid7.com/docs/DOC-1875

Install Victim VM

install the metasploitable vm

download image (latest is 2012) sourceforge (or goog):
http://sourceforge.net/projects/metasploitable/files/Meta
sploitable2/

**** Secure the host Network ****

Airgap, firewall, NAT, harden, change users/passes

do NOT let Victim image connect to internet !!!!

do NOT scan while Attacker connected to internet !!!!

Metasplotable2 - Willing Victim

metasploitable default login and password

msfadmin : msfadmin

tweak (no, not twerk) to the DB name:

currently metasploit, change to "owasp10"

sudo vi /var/www/mutillidae/config.inc

Finding it

scan ports

use "ifconfig" (or "ip addr") to show victim IP

use nmap to scan for open ports:

applications are installed in Metasploitable 2 in the

/var/www directory

nmap -p0-65535 192.168.x.x

usd "ls /var/www" to view the directory

Cool stuff - PHP information disclosure page can be

found by browsing from the attacking machine:

http://192.168.x.x/phpinfo.php
(wow!! this shouldn't be visible to a visitor !!)

DVWA - Damn Vulnerable Web App.

Default username = admin
Default password = password

Accessing the Victim Website

The Mutillidae web application (NOWASP
(Mutillidae)) contains all of the vulnerabilities
from the OWASP Top Ten plus a number of
other vulnerabilities such as HTML-5 web
storage, forms caching, and click-jacking.

http://192.168.x.x/mutillidae/

you'll be able to experiment with SQL injection and

many other vulnerabilities.

Set the "hints" level to "noob" for the most helpful

info :-)

Attacking with ZAP

In Kali, launch Zap from the:
Apps > Kali Linux > Top Ten > Owasp Zap
Enter the Victim IP into the Attack box: http://192.168.x.x
Run the attack, review the Alerts - includes suggested fixes !!!

Now you are Dangerous !!!!

Please be careful...don't scan the internet

It is unlawful to pentest without permission

get written permission, even if it is your site on some

hosting company's system

Watch YouTube vids on Metasploitable / Kali

Feel free to contact us with your questions about
cybersecurity activities at UW Bothell / OWASP:

Brendan Sweeney: bps7@uw.edu

David L. Morse: morse808@uw.edu

References

https://www.owasp.org/images/9/9a/OWASP_Cheatsheets_Book.pdf

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

https://cyberarms.wordpress.com/2014/06/05/quick-and-easy-websitevulnerability-scans-with-owasp-zap/

http://sourceforge.net/projects/metasploitable/files/Metasploitable2/

https://www.vmware.com/support/pubs/player_pubs.html

https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vm
ware_player/7_0|PLAYER-710|product_downloads
https://www.offensive-security.com/kali-linux-vmware-arm-image-download/
http://resources.infosecinstitute.com/14-popular-web-applicationvulnerability-scanners/
https://msfbt.wordpress.com/2012/06/22/metasploitable-2-dvwa-damnvulnerable-web-app/